# Go Gin Review Checklist

Extends the generic checklist with Go/Gin-specific items.

## Interface Layer (Gin Handlers)

- [ ] `ShouldBindJSON` / `ShouldBindQuery` with error handling
- [ ] Binding structs have `binding:"required"` tags
- [ ] Custom validators registered with `binding.Validator`
- [ ] Response helpers used consistently (not raw `c.JSON` everywhere)
- [ ] Middleware applied at appropriate scope (global vs group vs handler)

## Business Layer

- [ ] Business logic in service structs with interfaces
- [ ] Context propagation (`context.Context`) through all layers
- [ ] Dependency injection via constructor, not global variables

## Data Layer (GORM / sqlx / database/sql)

- [ ] GORM: `Preload()` instead of lazy loading in loops
- [ ] GORM: `Where("field = ?", value)` — parameterized queries
- [ ] database/sql: prepared statements with placeholders
- [ ] Connection pool: `SetMaxOpenConns`, `SetMaxIdleConns`, `SetConnMaxLifetime`
- [ ] `rows.Close()` always called (or use `defer`)

## Error Handling

- [ ] Errors wrapped with `fmt.Errorf("context: %w", err)` for traceability
- [ ] `errors.Is()` and `errors.As()` for error type checking
- [ ] No `panic()` in request handlers (use recovery middleware)
- [ ] Gin recovery middleware configured

## Security

- [ ] `gin-contrib/cors` with specific origins
- [ ] Rate limiting middleware (e.g., `gin-contrib/limiter`)
- [ ] JWT or session middleware for auth
- [ ] Secrets from environment, never committed
- [ ] `gin.SetMode(gin.ReleaseMode)` in production

## Performance

- [ ] Goroutine pools for concurrent operations (avoid unbounded goroutines)
- [ ] `sync.Pool` for frequently allocated objects
- [ ] Database query limits on all SELECTs
- [ ] `context.WithTimeout` for all external calls
- [ ] JSON serialization with `json:"-"` on sensitive fields